ACS 5.3 WLC Certificates RADUIS Active Directory

Similar Messages

• Certificate issues Active Directory Certificate Services could not process request 3699 due to an error: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013

  Hi,
  We have some problems with our Root CA. I can se a lot of failed requests. with the event id 22: in the logs. The description is: Active Directory Certificate Services could not process request 3686 due to an error: The revocation function was unable to
  check revocation because the revocation server was offline. 0x80092013 (-2146885613).  The request was for CN=xxxxx.ourdomain.com.  Additional information: Error Verifying Request Signature or Signing Certificate
  A couple of months ago we decomissioned one of our old 2003 DCs and it looks like this server might have had something to do with the CA structure but I am not sure whether this was in use or not since I could find the role but I wasn't able to see any existing
  configuration.
  Let's say that this server was previously responsible for the certificates and was the server that should have revoked the old certs, what can I do know to try and correct the problem?
  Thank you for your help
  //Cris

  hello,
  let me recap first:
  you see these errors on a ROOT CA. so it seems like the ROOT CA is also operating as an ISSUING CA. Some clients try to issue a new certificate from the ROOT CA and this fails with your error mentioned.
  do you say that you had a PREVIOUS CA which you decomissioned, and you now have a brand NEW CA, that was built as a clean install? When you decommissioned the PREVIOUS CA, that was your design decision to don't bother with the current certificates that it
  issued and which are still valid, right?
  The error says, that the REQUEST signature cannot be validated. REQUESTs are signed either by itself (self-signed) or if they are renewal requests, they would be signed with the previous certificate which the client tries to renew. The self-signed REQUESTs
  do not contain CRL paths at all.
  So this implies to me as these requests that are failing are renewal requests. Renewal requests would contain CRL paths of the previous certificates that are nearing their expiration.
  As there are many such REQUEST and failures, it probably means that the clients use AUTOENROLLMENT, which tries to renew their current, but shortly expiring, certificates during (by default) their last 6 weeks of lifetime.
  As you decommissioned your PREVIOUS CA, it does not issue CRL anymore and the current certificates cannot be checked for validity.
  Thus, if the renewal tries to renew them by using the NEW CA, your NEW CA cannot validate CRL of the PREVIOUS CA and will not issue new certificates.
  But it would not issue new certificates anyway even if it was able to verify the PREVIOUS CA's CRL, as it seems your NEW CA is completely brand new, without being restored from the PREVIOUS CA's database. Right?
  So simply don't bother :-) As long as it was your design to decommission the PREVIOUS CA without bothering with its already issued certificates.
  The current certificates which autoenrollment tries to renew cannot be checked for validity. They will also slowly expire over the next 6 weeks or so. After that, autoenrollment will ask your NEW CA to issue a brand new certificate without trying to renew.
  Just a clean self-signed REQUEST.
  That will succeed.
  You can also verify this by trying to issue a certificate on an affected machine manually from Certificates MMC.
  ondrej.

• DNS, Certificates, and Active Directory - School Setup Issues

  Our school has been piloting a small iPad depolyment.  I have been struggling with getting Profile Manager to work correctly since August of last year. Here's the setup:
  1. Active Directory DNS/DHCP server (set as "school.local"--yes, I know .local is bad form, but it was set before I got here). I have changed the "Digest" to "Basic" setting
  2. Mac Mini server that has its own external IP and hostname ("mac.school.org") and is also bound to the AD server for user authentication for services (Profile Manager, WebDAV, wiki, etc.). I have a self-signed SSL certificate installed under the name "mac.school.org"
  3. About 90 iPads, and a handfull of Mac desktops
  In a perfect world, users would be able to login (with their AD credentials) to the Profile Manager self-service portal using the external hostname of the mac server ("mac.school.org/mydevices"), install the Trust Profile, and enroll the device (iPad, Mac, etc).
  However, this is not the case.  The setup seems to work for awhile; quite perfectly in fact. But then for reasons unknown to me, everything just "breaks" and Profile Manager ceases to work like it should. Here are some of issues I am seeing:
  a.) DNS service on the Mac server turns itself ON randomly.  DNS should NOT be running this server, correct? All DNS lookups internally are done by the AD server. I've used changeip and everything matches (both say "mac.school.org")
  b.) Whenever we use VPN, and at other seemingly random times, the server's hostname changes from "mac.school.org" to "mac.school.local" I would make the server external only, but it needs to have an internal IP to talk to the AD server.
  c.) AD binding breaks randomly and I have to rebind the server to AD
  d.) When enrolling devices, Profile Manager starts rejecting certificates (not a trusted source, etc.) and I have to destroy OD and PM and start all over again.
  I know this is a lot and I'm not necessarily expecting anyone to answer all of these questions. I guess I'm wondering if anyone could point me in the right direction? I've looked for help with these issues all over the place, but none of the environments I read about are quite like the one I'm in.

  Yes, I am not giving the real domain name here.
  No prob. just checking, sometimes people have weird domain names never know if they are real or they expect them to be real or they put domain names owned by someone else on their internal network eek.
  Not really needed to use mac.school.org internally, that is in local LAN. The thing to understand about DNS is the scope for which a DNS zone is relevant WRT a client machine — inside LAN or on Internet, and which DNS server is authoritative for a domain. Authoritative in the sense of 'the final word'.
  Go to Network Utility on your mac, type in your real domain name (whatever you are changing to school.org to hide it) what comes back. On my server I see the below (I have replaced my real, Internet legal domain, to 'example.com')
  In my setup I have, on the LAN, setup the Mac server to be authoritative for domain 'example.com'. On the Internet however it is another external DNS server.
  So you have set DNS forwarders on the Mac machine?
  I really don't believe that the machine's hostname is changing, it is statically configured. What I believe is happening is that DNS name resolution is telling you different things at different times because you are using different DNS servers.
  On mac machine terminal type $less /etc/resolv.conf and copy paste what it says. In server app Services | DNS right side does it say you have forwarders?
  Still it is not good to have two DNS domains in your internal LAN, there is no need to have school.org on the mac DNS unless it is going to be fully setup to be authoritative in the internal LAN for the domain school.org. You can have school.org on the Internet (Internet scope of users point 1) and school.local on internal machine (LAN scope of users).
  Lookup has started…
  Trying "example.com"
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53292
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
  ;; QUESTION SECTION:
  ;example.com.                   IN        ANY
  ;; ANSWER SECTION:
  example.com.     10800          IN        SOA          example.com. admin.example.com. 2013010907 3600 900 1209600 86400
  example.com.     10800          IN         NS          server.example.com.
  example.com.     10800          IN         MX          10 server.example.com.
  ;; ADDITIONAL SECTION:
  server.example.com. 10800       IN          A          192.168.1.20
  Received 145 bytes from 127.0.0.1#53 in 2 ms

• ACS 5.2 does not check Active directory changes

  Hi all,
  I am working with ACS 5.2 and using Radius authentication for vpn client.
  The authentication method used is Active Directory in an Windows enviroment with multiple domains in the same forest.
  My problem occurs when i change a user from one group to another in Active Directory. After that i receive the following message when try to connect:
  15039 Selected Authorization Profile is DenyAccess
  The message is because match the default policy.
  Another user in the same AD group works fine.
  All domain in the forest have trust relation each other.
  I am using universal groups to include users from all domain belongs this forest.
  Can anyone help me?
  Regards

  Dear all,
  Hope you can help me with a similar issue i am facing on migration from Cisco ACS 4.1.24 to Cisco 5.3.0.40
  and testing Radius authentication for vpn client users.
  The authentication method used is external Active Directory and for some users authenticating to the external AD via ACS, the following message is obtained:
  "15039 Selected Authorization Profile is DenyAcces", which results in Auth failure.
  Other users on the same AD group seem to work fine and there are no changes performed on the AD for any of the  concerned users.
  Looking at the detail report for the user, confirms  that no attributes  are returned to the Radius(under the other  attributes field) from the  external server. The Radius also returns the  following messages:
  "24412 User not  found in Active Directory"
  "22056 Subject not found in the applicable  identity store(s)"
  Within the ACS Identity sequence in the ID store, the  sequence is set to match on AD first and then Internal user.         The  Identity for the default network profile(for Radius users) is  configured to General sequence. The same user/s seem to work fine when  swithced to ACS4.
  We are also looking at possible NTP sync issue with the ACS/AD or  any NTLM/Kerberos auth issues or any issues related to applying the  latest ACS patch to the box.Please let me know if there is any AD related configs to be modified.
  Any help will be appreciated.
  Thanks and Regards.

• Certificate server, active directory...............

  hi,
  we r working on java cards....
  We need to install a certificate server......
  So i want to ask ...............
  Is there any special requirements for certificate server regarding to the active directory ???

  hi,
  we r working on java cards....
  We need to install a certificate server......
  So i want to ask ...............
  Is there any special requirements for certificate server regarding to the active directory ???

• Wlc and window active directory

  On the client side "user Credentials", I set "Use Windows logon" to autenticate. Here is my problem, upon boot no drives are mapped so I am assuming windwows is booting before authenication takes place. How can I resolve this? Thanks

  The problem is that unless you are authenticating the machine to AD as well, then when you log onto the laptop, you are using
  cached domain credentials and then the user is authenticating to the wireless.  In order for login scripts, group policy changes, etc to work, the machine must authenticate to the wireless so it is on the domain.  Then when you log onto the laptop, you are logging into the domain, just like with a wired PC.  So what you need to use is a wireless suplicant like WZC or CSSC that integrates into the msgina of the OS that allows authentication before login.  With the WZC, you will see an option to "authenticate as computer when computer information is available" on the Authentication tab of your wireless profile. Check out step 9 of the Client configuration section of this document  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t31.
  Your RADIUS server would also need to allow computers to authenticate.
  Thanks,
  Lee

• ACS Local databse authentication as a failover to Active Directory

  Hi all
  Router- 10.10.10.1
  ACS-10.10.10.2
  AD-10.10.10.3
  in AD - created  a group called "telnet users" - added user with name of - john
  I have added cisco router as clients in Cisco ACS 5.1 and integrated with Active directory. when i telnet to 10.10.10.1 , i can logon with Active directory account
  but i want a faiover to active directory with ACS local database
  Can you let me know how to configure?
  In ACS - i have created a user with name of - Test1 and  Identity group : all groups.
  Can any one help please.

  Hi,
  You need to create an Identity Store Sequence and then select that Identity Store under the Identity section of the Access Service.
  1.
  2.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Active Directory stability.

  Hello.
  So I'm having a heck of a time with stability of the connection to Active Directory from 10.6.5 Server. The server is bound to the AD domain, but when I try to use Workgroup Manager to browse the domain users or groups, it fails more than it works. Also, trying to add a domain group to a file share in Server Admin will have some odd behavior - in the instance that I can actually get the group to show up in the pick list, it will drag into the ACL window, but upon hitting Save it will disappear from the ACL.
  Note - throughout all these problems I can browse the directory using dscl with no problem. Other terminal commands don't seem to be as lucky. For example:
  $ id <user>
  id: <user>: no such user
  $ dscl localhost -read /Active\ Directory/All\ Domains/Users/<user>
  <blast of raw LDAP data including user certificate from Active Directory>
  Any ideas as to why there appears to be this disconnect between the raw directory services client and anything that uses directory services?

  Chris, is this something new that's just happened? Or are you just setting it up for the first time?
  Can't say I've heard of this issue before, but I would first try trashing DirectoryService in prefs, rebooting, and rebinding.
  I don't see how it could be a problem with DNS, if it's working part of the time, but I'd verify the server's DNS is correctly set as well.

• How to ACS 5.0.0.21 Expresss integrate with Active Directory Standar 2003 and authenticate PEAP MSCHAPV2

  Hi:
  My name is Ivan, I have a trouble
  I have a ACS 5.0.0.21 express, and i have to integrate with Active Directory (AD)  2003 Standar. I should authenticate the users of the Domain in the LAN with PEAP MSCHPAV2, using the follow:
  Cisco WLC 4402 + Cisco ACS 5.0.0.21 + Active Directory
  I need to know if i should to install a certificate in the ACS 5.0.0.21 or some agent remote install  in the AD.
  I put in the ACS a external database with the AD, and i already select the users on the domain in the ACS Express.
  Please could you tell me all the steps to autenticate the users on the Domain using the ACS Express and the Active Directory,
  I would like to know wich are the configuration that i have to do in my ACS express to authenticate using PEAP MSCHAPV2
  Regards
  Ivan

  See the below URL - multiple config guides on what you want to do:-
  http://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
  HTH>

• "24427 Access to Active Directory failed" error in ACS 5.1

  Hello,
  I'm working on implementing a RADIUS authentication for wireless access with the following :
  - PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),
  - AP 1252  configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),
  - ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,
  - AD domain running on Windows 2003 Server.
  My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.
  All I can get running the expert troubleshoot
  Investigating failure code: 24427 Access to Active Directory failed
  Checking if Active Directory is configured
  Active Directory is configured
  Attempting connection to Active Directory
  Connection to Active Directory was successful.
  Troubleshooting completed.
  Click on Show Results Summary to view results.
  I followed this guide, at least for the ACS certificate section :
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
  Anyone has an idea where the problem may come from?
  Thanks in advance,
  Vincent

  hey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.
  link
  Problem: Error "24495 Active Directory servers are not available"
  Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.
  Solution
  Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID CSCtx71254 (registered customers only) for more information.

• Using Active Directory and ACS for Concentrator 3000 VPN

  Has anyone gone down the path of using Cisco ACS for network access control AND authenticating it with their W2K Active Directory for VPN 3000 concentrators? I did some research on Google, Cisco web, and this group, I did not find a definite answer on the best practice for the architecture and design, can anyone share your experience how you approached this?
  Below is my understanding, I appeciate any help to piece some or all the below together
  (1) The end state is once a VPN user is successfully authenticated, it is assigned to certain network access privilege based on its group's policy. How to accomplish this?
  (2) AD stores a central user database for user authentication. Each user may belong to one or more groups on the AD; ACS is reponsible for network access control for the specific groups and enforces these controls to the users via the concentrators.
  (3) Concentrator is the NAS, and ACS is the RADIUS server
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949b4.shtml
  (4) Concentrator can link to the AD as an external database: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/gs/gs3mgr.htm
  (5) A single "Tunnel Group" is created on the concentrator
  (6) Mulpile Groups, per corporate infosec policies are created on the AD
  (7) Mulpile Groups, per corporate infosec policies are also created on ACS, need to match with what're in the AD
  TIA.

  In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
  When the WLC sends an authentication request to the  ACS, it will include  the SSID that the user is connecting to, in the  attribute  Calling-Station-Id(31). We can use this information to create  multiple  rules in ACS 5.x in order to take actions based on the  information  contained in the attribute.
  Under the  Users and Indetity Stores > click on Directory Groups > select  > check the group name you want to add and hit ok. Save the changes.
  We  just need to  create a DNIS rule that includes the name of the SSID and  use it as a  condition in any rule that we create for authentication.  The * is  required because the attribute not only contains the SSID but  also a MAC  address so the * is use as a regular expression.
  Now go to access-policies > default-network access > identity should be AD1.
  Go  to authorization > click on customize > move the  AD1:ExternalGroups and end-station filter attribute on the right side  and hit ok.
  After that slect the appropriate ad group for teachers and end-station filter.
  Save changes.
  Jatin Katyal
  - Do rate helpful posts -

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• Client Certificate Mapping authentication using Active Directory across trusted forests

  Hi,
  We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
  credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
  We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
  Mapping".
  However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
  1. Is this possible?
  2. If yes, what do we need to do to make this work.
  Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"

  1. Yes!
  2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
  and mapping?
  /Hasain
  We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
  To simulate the scenario, I setup up two separate forests and established a trust between them.
  I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
  I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
  I setup a test ASP page to capture the Login Info on both the servers.
  With the client and the server in the same forest, I got the following results
  Login Info
  LOGON_USER: CORP\ASmith
  AUTH_USER: CORP\ASmith
  AUTH_TYPE: SSL/PCT
  With the client in the domain with the PKI and the server in the other Forest, I got the following response
  Login Info
  LOGON_USER:
  AUTH_USER:
  AUTH_TYPE: 
  I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
  With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
  401 - Unauthorized: Access is denied due to invalid credentials.
  You do not have permission to view this directory or page using the credentials that you supplied

• ACS Express integration with Active Directory

  Hello,
  I have ACS Express version 5.0.1 installed on Cisco ADE; I'm trying to get it integreated with an Active Directory without sucess.
  I did packet captures on the ASA that is in between and I can see communication going thru just fine. I ran a diagnostic on the ACS express and got this:
  DIAGNOSTIC USING THE IP ADDRESS OF THE DOMAIN CONTROLLER:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tabla normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Output of AD Domain Diagnostics:
  IP Diagnostics
  Local host name: he-zfm-acs-01
  Local IP Address: 172.31.67.10
  Not found in DNS!Make sure it is in Reverse Lookup Zone.
  FQDN host name:he-zfm-acs-01.clarocr.americamovil.ca1
  Domain Diagnostics:
  Domain: 172.24.2.93
  Subnet site:
  WARNING! Unable to locate computer's subnet site in Active Directory.
  Ask your Active Directory administrator to add this computer's subnet
  to the appropriate site.
  DNS query for: _ldap._tcp.172.24.2.93
  Found no SRV records!
  Computer Account Diagnostics
  Not joined to any domain
  AD Agent Process Status: Not joined to any domain
  DIAGNOSTIC USING THE AD REALM:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tabla normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Output of AD Domain Diagnostics:
  IP Diagnostics
  Local host name: he-zfm-acs-01
  Local IP Address: 172.31.67.10
  FQDN host name:he-zfm-acs-02.clarocr.americamovil.ca1
  Domain Diagnostics:
  Domain: CLAROCR.AMERICAMOVIL.CA1
  Subnet site: TELECOM
  DNS query for: _ldap._tcp.CLAROCR.AMERICAMOVIL.CA1
  Found SRV records:
  rom-pro-dc-03.clarocr.americamovil.ca1:389
  Testing Active Directory connectivity:
  Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1
  ldap: 389/tcp - good
  ldap: 389/udp - good
  smb: 445/tcp - good
  kdc: 88/tcp - good
  kpasswd: 464/tcp - good
  ntp: 123/udp - good
  Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1:389
  Domain controller type: Windows 2003
  Domain Name: CLAROCR.AMERICAMOVIL.CA1
  isGlobalCatalogReady: TRUE
  domainFunctionality:
  forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
  domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
  Forest Name: AMERICAMOVIL.CA1
  DNS query for: _gc._tcp.AMERICAMOVIL.CA1
  Testing Active Directory connectivity:
  Global Catalog: rom-des-dc-01.desa1sv.americamovil.ca1
  gc: 3268/tcp - timeout
  No TCP LDAP response, giving up on rom-des-dc-01.desa1sv.americamovil.ca1
  Global Catalog: rom-amv-dc-02.americamovil.ca1
  gc: 3268/tcp - good
  Global Catalog: rom-tlc-dc-01.telecom.americamovil.ca1
  gc: 3268/tcp - good
  Global Catalog: rom-pro-dc-03.clarocr.americamovil.ca1
  gc: 3268/tcp - good
  Global Catalog: rom-tlc-dc-02.telecom.americamovil.ca1
  gc: 3268/tcp - good
  Global Catalog: rom-amv-dc-01.americamovil.ca1
  gc: 3268/tcp - good
  Domain Controller: rom-amv-dc-02.americamovil.ca1:3268
  Domain controller type: Windows 2003
  Domain Name: AMERICAMOVIL.CA1
  isGlobalCatalogReady: TRUE
  domainFunctionality:
  forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
  domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
  Domain Controller: rom-tlc-dc-01.telecom.americamovil.ca1:3268
  Domain controller type: Windows 2003
  Domain Name: TELECOM.AMERICAMOVIL.CA1
  isGlobalCatalogReady: TRUE
  domainFunctionality:
  forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
  domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
  Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1:3268
  Domain controller type: Windows 2003
  Domain Name: CLAROCR.AMERICAMOVIL.CA1
  isGlobalCatalogReady: TRUE
  domainFunctionality:
  forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
  domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
  Domain Controller: rom-tlc-dc-02.telecom.americamovil.ca1:3268
  Domain controller type: Windows 2003
  Domain Name: TELECOM.AMERICAMOVIL.CA1
  isGlobalCatalogReady: TRUE
  domainFunctionality:
  forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
  domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
  Domain Controller: rom-amv-dc-01.americamovil.ca1:3268
  Domain controller type: Windows 2003
  Domain Name: AMERICAMOVIL.CA1
  isGlobalCatalogReady: TRUE
  domainFunctionality:
  forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
  domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
  Forest Name: AMERICAMOVIL.CA1
  Computer Account Diagnostics
  Not joined to any domain
  AD Agent Process Status: Not joined to any domain

  Dennis,
  TIme in sync on the ACS and AD servers?
  Faisal

• Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

  Hello,
  Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory?  I'm not having success in setting this up and would like to see what a successful authentication debug looks.  Below is my current situation:
  Oct  6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:23: TPLUS: processing authentication start request id 444
  Oct  6 13:52:23: TPLUS: Authentication start packet created for 444()
  Oct  6 13:52:23: TPLUS: Using server 110.34.5.143
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
  Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
  Oct  6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
  Oct  6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
  Oct  6 13:52:23: T+: user: 
  Oct  6 13:52:23: T+: port:  tty515
  Oct  6 13:52:23: T+: rem_addr:  10.10.10.10
  Oct  6 13:52:23: T+: data: 
  Oct  6 13:52:23: T+: End Packet
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
  Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
  Oct  6 13:52:23: T+: msg:  Username:
  Oct  6 13:52:23: T+: data: 
  Oct  6 13:52:23: T+: End Packet
  Oct  6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:23: TPLUS: Received authen response status GET_USER (7)
  Oct  6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:30: TPLUS: processing authentication continue request id 444
  Oct  6 13:52:30: TPLUS: Authentication continue packet generated for 444
  Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
  Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
  Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
  Oct  6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
  Oct  6 13:52:30: T+: User msg: <elided>
  Oct  6 13:52:30: T+: User data: 
  Oct  6 13:52:30: T+: End Packet
  Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
  Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
  Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Oct  6 13:52:30: T+: msg:  Password:
  Oct  6 13:52:30: T+: data: 
  Oct  6 13:52:30: T+: End Packet
  Oct  6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
  Oct  6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:37: TPLUS: processing authentication continue request id 444
  Oct  6 13:52:37: TPLUS: Authentication continue packet generated for 444
  Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
  Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
  Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
  Oct  6 13:52:37: T+: User msg: <elided>
  Oct  6 13:52:37: T+: User data: 
  Oct  6 13:52:37: T+: End Packet
  Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
  Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
  Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
  Oct  6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
  Oct  6 13:52:37: T+: msg:  Error during authentication
  Oct  6 13:52:37: T+: data: 
  Oct  6 13:52:37: T+: End Packet
  Oct  6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:37: TPLUS: Received Authen status error
  Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
  Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
  Oct  6 13:52:37: TPLUS: Choosing next server 101.34.5.143
  Oct  6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
  Oct  6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
  Oct  6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:49: TPLUS: processing authentication start request id 444
  Oct  6 13:52:49: TPLUS: Authentication start packet created for 444()
  Oct  6 13:52:49: TPLUS: Using server 172.24.5.143
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
  Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
  Oct  6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
  Oct  6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
  Oct  6 13:52:49: T+: user: 
  Oct  6 13:52:49: T+: port:  tty515
  Oct  6 13:52:49: T+: rem_addr:  10.10.10.10
  Oct  6 13:52:49: T+: data: 
  Oct  6 13:52:49: T+: End Packet
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
  Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
  Oct  6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
  Oct  6 13:52:49: T+: msg:   0x0A User Access Verification 0x0A  0x0A Username:
  Oct  6 13:52:49: T+: data: 
  Oct  6 13:52:49: T+: End Packet
  Oct  6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:49: TPLUS: Received authen response status GET_USER (7)
  The 1113 acs failed reports shows:
  External DB is not operational
  thanks,
  james

  Hi James,
  We get External DB is not operational. Could you confirm if under External Databases > Unknown User           Policy, and verify you have the AD/ Windows database at the top?
  this error means the external server might not correctly configured on ACS external database section.
  Another point is to make sure we have remote agent installed on supported windows server.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
  Also provide the Auth logs from the server running remote agent, e.g.:-
  AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
  Attempting Windows authentication for user v-michal
  AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
  authentication FAILED (error 1783L)
  thanks,
  Vinay